Ensure the web app has 'Client Certificates (Incoming client certificates)' set to 'On'

The TLS mutual authentication technique in enterprise environments ensures the authenticity of clients to the server. If incoming client certificates are enabled, then only an authenticated client who has valid certificates can access the app.

Risk Level: Low
Cloud Entity: Web Apps service
CloudGuard Rule ID: D9.AZU.CRY.20
Covered by Spectral: Yes
Category: Compute


WebApp should have inner.clientCertEnabled=true


From Portal

  1. Go to 'App Services' from Azure Management console and choose your App Service.
  2. Under 'Settings, select 'Configuration' on the navigation menu.
  3. Select 'General Settings'.
  4. Go to 'Client Certificate mode' under 'Incoming Client Certificates' and select 'Require' Button.
  5. Click Save.

Note: By default, Client Certificate mode is set to Ignore.

From TF
Set the 'enabled' argument under 'client_cert_enabled' to 'true':

resource 'azurerm_app_service' 'example' {
	client_cert_enabled = true

From Command Line

az webapp update --resource-group RESOURCEGROUPNAME --name APPLICATIONSERVICENAME  --set clientCertEnabled=true


  1. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-configure-tls-mutual-auth
  2. https://docs.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest
  3. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#auth_settings

Web Apps service

Azure App Service is an HTTP-based service for hosting web applications, REST APIs, and mobile back ends. You can develop in your favorite language, be it .NET, .NET Core, Java, Ruby, Node.js, PHP, or Python. Applications run and scale with ease on both Windows and Linux-based environments.

Compliance Frameworks

  • AZU PCI-DSS 4.0
  • Azure CIS Foundations v. 1.1.0
  • Azure CIS Foundations v. 1.2.0
  • Azure CIS Foundations v. 1.3.0
  • Azure CIS Foundations v. 1.3.1
  • Azure CIS Foundations v. 1.4.0
  • Azure CIS Foundations v. 1.5.0
  • Azure CIS Foundations v.2.0
  • Azure CloudGuard Best Practices
  • Azure HITRUST v9.5.0
  • Azure ITSG-33
  • Azure NIST 800-53 Rev 5
  • CloudGuard Azure All Rules Ruleset